Add a way to configure the cipher suite used for TLS

[urmilparikh95]

Is your feature request related to a problem? Please describe.

Currently the cipher suites used by pinniped for TLS are hard-coded. So there is no way to configure them based on user specific requirements.

Describe the solution you'd like

Allow a config which can override/add/limit the hard-coded ciphers.

[joshuatcasey]

Thanks for the issue. I suspect what we should do is allow the user to limit the hard-coded ciphers. I think this would be like performing a union intersection on the hard-coded and the provided ciphers to achieve the actual result.

For example, if this is the hardcoded list:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

And this is the user-provided list:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

The resulting ciphers will actually be configured:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

[urmilparikh95]

You mean an intersection right. Not a Union. I believe that should solve the current issue

[AllieChen01]

Hello team, I have one customer requests adding the ability to configure the ciphers to Pinniped.
added the feature to open source Pinniped for TKGm 2.4.

RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384

[joshuatcasey]

I will start this work for opensource Pinniped soon. Adding the feature to a product that uses Pinniped (such as TKGm) is a different scope of work.